W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1995

Re: No More Passwords In The Clear in HTTP!

From: Daniel W. Connolly <connolly@hal.com>
Date: Mon, 09 Jan 1995 16:11:50 -0600
Message-Id: <9501092211.AA11588@ulua.hal.com>
To: Brian Behlendorf <brian@wired.com>
Cc: www-talk@info.cern.ch, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
In message <Pine.BSD.3.91.950109121342.19279d-100000@get.wired.com>, Brian Behl
endorf writes:
>	Brian
>
>--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
>brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/

Yikes! Jinks! I asked for a reference to s-key in my p.s.
Brian replies to other issues, but includes the address of
his home-page.

Dan wastes a little time surfing Brian's home-page, and subconsiously
follows these links...

http://www.hotwired.com/Staff/brian/
http://www.hotwired.com/Staff/brian/links.html
http://www.ccs.neu.edu/home/thigpen/index.html
http://www.ccs.neu.edu/home/thigpen/html/interests.html
http://www.ccs.neu.edu/home/thigpen/html/security.html

Which has a handy reference to the S/Key paper from bellcore:
http://www.ccs.neu.edu/home/thigpen/docs/security_papers/ISOC.symp.ps


After reading the S/Key paper, I think we should consider it in place
of the simple challenge/response system.

Advantages of S/Key:

	* passwords are _not_ stored on the server side in clear
	form.
	* user can securely use the same password at different sites
	* password can be changed without sending it over the net

Drawbacks:
	* server-side passwd database is not read-only: server must
	update the user's count of logins each time
	* doesn't support the opaque="..." feature of the spyglass proposal

Dan
Received on Monday, 9 January 1995 14:23:38 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:13 EDT